JDBC中由Statement对象引起的安全问题及解决

 1 package com.yxfyg.dao.impl;
 2 
 3 import java.sql.Connection;
 4 import java.sql.PreparedStatement;
 5 import java.sql.ResultSet;
 6 import java.sql.SQLException;
 7 import java.sql.Statement;
 8 
 9 import com.yxfyg.dao.UserDao;
10 import com.yxfyg.util.JDBCUtil;
11 
12 public class UserDaoImpl implements UserDao{
13 
14     @Override
15     public void login(String username,String password) {
16         Connection conn = null;
17         Statement st = null;
18         ResultSet rs = null;
19         try {
20             conn = JDBCUtil.getConn();
21             st = conn.createStatement();
22             String sql = "select * from user where username = ‘" + username + "‘ and password = ‘" + password + "‘";
23             rs = st.executeQuery(sql);
24             if(rs.next()) {
25                 System.out.println("密码正确");
26             }else {
27                 System.out.println("密码错误");
28             }
29         } catch (SQLException e) {
30             e.printStackTrace();
31         }finally {
32             JDBCUtil.release(rs, st, conn);
33         }
34     }
35 
36     @Override
37     public void loginUpdate(String username, String password) {
38         Connection conn = null;
39         PreparedStatement ps = null;
40         ResultSet rs = null;
41         try {
42             conn = JDBCUtil.getConn();
43             String sql = "select * from user where username = ? and password = ?";
44             //预先对SQL语句进行语法校验,占位符对应的内容都会被看成字符串
45             ps = conn.prepareStatement(sql);
46             //占位符对应的索引从1开始
47             ps.setString(1, username);
48             ps.setString(2, password);
49             rs = ps.executeQuery();
50             if(rs.next()) {
51                 System.out.println("密码正确");
52             }else {
53                 System.out.println("密码错误");
54             }
55         } catch (SQLException e) {
56             e.printStackTrace();
57         }finally {
58             JDBCUtil.release(rs,ps,conn);
59         }
60     }
61 }

JDBC中由Statement对象引起的安全问题及解决

上一篇:[delphi 数据库同步]delphi的万能数据库操作


下一篇:Oracle11g数据库快速安装